Working with Virtual CD-ROM is a two stage process. First, you create Virtual CDs from your CD-ROM(s). After they are created, you "insert" them to and "eject" them from drive letters designated by the software. You can add more Virtual CDs at any time, and work with them just as you would with actual CD-ROMs. When necessary, you can delete your Virtual CDs to regain hard disk space.

Why Use Virtual CDs?

Virtual CDs allow you to:

· Speed up your CD-ROM applications
· Use more than one CD simultaneously, even though you only have one CD-ROM drive
· Use CD-ROMs on PCs without a CD-ROM drive
· Take CD-ROMs on the road, loading them from your notebook PC’s docking station and using them in your notebook PC without a CD-ROM drive"
 

About this protection system

 
This program uses a .DLL file called TLock32.DLL (TimeLock) for it's protection system and because of this it follows a set of well known steps that helps us crackers to quickly register this babe with little fuss and go onto the next *crack*.
 
On successful installation the program creates a vcdrom.ini file in your C:\Windows directory with a number of entries in it, but the one of any interest to us is:

[User]
UserName=Trial User
UserCompany=
RegNum=770528576607; This serial code is the 'Shareware 15 day reg number,
                                       ; and will be different on your machine.
 

For all registration entries added to your System Registry File load up RegEdit and search for "logicraft"

Your 15 Day trial 'counter' is hidden inside a file called 26252.tdk which is placed in your C:\Windows directory.

This file is ALSO used to store your *legal* serial number and will look something like this when you've properly registered this program:

770528576607             øïi dôi ïâù¿ò   [s÷¿‘òi ði     º ði 07656287  �^øî0         x77xhsd wb  %ld 0   903100535 ÷¿„s÷¿ði
 
The number 770528576607 was the 'Shareware Serial' number for my copy of Web Doctor.
 
The number 07656287 is the *legal* registered serial number based on my shareware serial #
 
The 'other' non-ascii letters represent the 'days remaining till expire' and my 'User details', all of which are encrypted.
 
 

The Essay

     
Well look here, what do we have, it's our 'old' friend the 'Tlock32.DLL' protection system, we are very close friends..  This has to be my most well known protection I know of.  When I heard of this program (Virtual CD-ROM) I expected much a better protection system to it based on it's rival product [ Virtual Drive 2 ] which was a pain to Crack and I must admit, I needed help to crack that one.

Anyway, the makers [ Logicraft Information Systems, Inc ] has since stopped allowing access to this program from their web site because of various reasons (perhaps because too many people were *cracking* it?) so it's a little hard to get copies of it from the web, but not here, I've uploaded it here for you to review..:)

On successful installation and subsequent running you'll be greeted with the family TimeLock nag screen, informing you that you've just got 15 days to either buy this product or crack it, lets try for 15 minutes, that's all we need to crack this babe.

You might want to create a 'Dead Listing' of Tlock32.DLL to help you familiarize yourself with this type of protection system as well as help you to follow this essay.

OK, fire up Virtual CD-ROM and at the nag screen that greets you click on the 'Purchase' button and fill in your Name,Organisation and a fake Unlock code.

I used:

Unlock Code: 7777777
User Name: The Sandman
Organization: -
 
Before proceeding with the Registration process press 'Ctrl-D' to activate Softice then type bpx messageboxa then 'x' to leave Softice.
 
Now click once on the 'OK' button..

Softice breaks... Press 'F11' once and the following message now appears: "You have entered an incorrect code, please contact the vendor".

Click on the 'OK' button.

Softice breaks again, now we in the TLock32.DLL code...

* Referenced by a (C)onditional Jump at Address :1000224C(C)
 
:10002278 6800200000              push 00002000
:1000227D 68D0F90010              push 1000F9D0

* Possible StringData Ref from Data Obj ->"You have entered an incorrect "
                                        ->"code please contact the vendor."
 
:10002282 68F0E10010              push 1000E1F0
:10002287 6A00                    push 00000000
:10002289 FF159C130110            Call USER32.MessageBoxA
:1000228F 6A01                    push 00000001
:10002291 56                      push esi
:10002292 FF15A0130110            Call dword ptr [100113A0]
:10002298 B801000000              mov eax, 00000001
:1000229D E9F0FCFFFF              jmp 10001F92

If you've already read my essay on cracking WebDoctor (Essay 51) then you'll already know that we are right next to the routines that check to see if we've used a 'special' registration code that will allow us to restore our 15 day evaluation period, so I won't waste your time by repeating these same steps. Instead I will go directly to where you must go in order to sniff out the *real* serial number and hope that you will refer to essay 51 in order that you familiarize yourself with the way Tlock32 operates.

While still in Softice and the TLock32.DLL type: u 1000216c which should display the following section of code:-

:1000216A 50                      push eax ;Save your User Name
:1000216B 51                      push ecx ;Save your Fake Serial #
:1000216C E8AFF1FFFF              call 10001320 ; Check serial's
                                                ; Returns: eax=0 FAIL
                                                ;   OR     eax=1 PASS
 
:10002171 83C408                  add esp, 00000008
:10002174 85C0                    test eax, eax ;eax=0?
:10002176 0F84C1000000            je 1000223D   ;yes? then check if User
                                                ;wants extended trial time
 
Now type: bc * to clear away our previous Softice break point and then type: bpx 1000216A to set a new breakpoint.

For those you might be lost here, this breakpoint is a little further up the code listing from our original messageboxa breakpoint, and that this section of code through trial and error is where the program begins to compare our *fake* serial number against the *real* one.  Through trial and error I back-tracked a little way into the code which brought me here.  I suggest at some time you too also try back-trackng your way through this code so that you too will also know we can sniff out the *real* serial number from this point onwards..

Now type 'x' to leave softice and re-run the 'Registration Screen' again, fill in your User details again as well as a fake Unlock code. When you've done that press that 'OK' button again..

Softice now breaks at:...
 
:1000216A 50                      push eax ;Save your User Name
:1000216B 51                      push ecx ;Save your Fake Serial #
:1000216C E8AFF1FFFF              call 10001320 ; Check serial's
                                                ; Returns: eax=0 FAIL
                                                ;   OR     eax=1 PASS
 
:10002171 83C408                  add esp, 00000008
:10002174 85C0                    test eax, eax ;eax=0?
:10002176 0F84C1000000            je 1000223D   ;yes? then check if User
                                                ;wants extended trial time

We're almost there.. 
 

Right, once you land at the above code press 'F10' TWICE so than your now resting on the call 10001320 instruction where you must now type T which tells Softice you wish to follow where this call goes to, rather than just skip over it.

If you've done this correctly Softice should take you to this rather interesting routine, which I've commented for you..:)
 
* Referenced by a CALL at Addresses :100010A9   , :1000216C
 
:10001320 83EC14           sub esp, 00000014
:10001323 8D442400         lea eax, dword ptr [esp] ;eax = Temp Workspace
:10001327 50               push eax ;Save eax address
:10001328 E843070000       call 10001A70 ;Generate *REAL* serial
 
 
:1000132D 8D442404         lea eax, dword ptr [esp+04] ;eax =*real* serial
:10001331 8B4C241C         mov ecx, dword ptr [esp+1C] ;ecx =*fake* Serial

;At this point TYPE D EAX and you  will see your *REAL* serial No.

:10001335 83C404           add esp, 00000004
:10001338 50               push eax                 ;Save eax
:10001339 51               push ecx                 ;Save ecx
:1000133A FF158C120110     Call KERNEL32.lstrcmpA   ;Compare BOTH serials
                                                    ;Returns either:
                                                    ;eax =1 if check fail
                                                    ;eax =
:10001340 83F801           cmp eax, 00000001        ;eax=1? Set Z flag then
:10001343 1BC0             sbb eax, eax
:10001345 83C414           add esp, 00000014
:10001348 F7D8             neg eax
:1000134A C3               ret

Once you have the real Unlock code then re-run Virtual CD-ROM and use that serial code to register this babe.
 
Job Done.
 

The Crack

     
None required.
 

My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.